It has become a requirement for us to have more than one password policy on the same domain. I have been doing some research and it looks like the way to achieve this is through Fine Grained Password Policies. I can see plenty of articles online which explain it and there is a tool for doing this now, rather than use ADSI Edit as for example https://specopssoft.com/blog/create-fine-grained-password-policy-active-directory/. We already have a GPO based password policy.
My question is how to we move from the GPO password policy to Fine-Grained? Will it cause a mess with the security or potentially lock people out? Can you just create a Fine-Grained policy in addition to the GPO one and attach to an OU or will that be overridden? Do we have to completely remove the GPO and create Fine-Grained policies? I can't see anything online which explains how to move from one to the other and what the implications are.
